On 13 Nov 2004 01:22:23 -0800, [email protected] (Peter Matulis) wrote:
>My firewall is pretty tight.  I block all incoming by default and let out 
>only certain destination ports.  I'm currently filtering on 
>external interface only.
You do have a 
block log all
at the start of your policy ?
>Any comments?
Yes, tweak as appropriate
~~ # grep nbt /etc/pf.conf
anchor nbt
load anchor nbt:nbt from "/etc/pf-nbt.conf"
~~ # cat /etc/pf-nbt.conf
RPC_NBT="{ epmap, netbios-ns, netbios-dgm, netbios-ssn, microsoft-ds }"
# Drop NBT on external interface
block quick on $Ext inet proto {tcp,udp} from any to any port $RPC_NBT
It also has the advantage of removing tonnes of meaningless nbt cruft from
the logging of default 'block log all'.  
